mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Re: Review Request 70010: Store `logrotate` config in memfd file instead of container's sandbox.
Date Fri, 22 Feb 2019 17:59:49 GMT


> On Feb. 21, 2019, 7:26 p.m., Gilbert Song wrote:
> > When I was testing the containerizer memfd sealing, I have observed out of FD leak
on my dev machine, due to the leak from whitelisting the FD. Could we manually test the scale
before landing this patch?

> Could we manually test the scale before landing this patch?

It doesn't make sense.
`mesos-logrotate-logger` opens `memfd` FD _once_ during initialization. The FD's lifetime
is bound to `mesos-logrotate-logger` process lifetime. It's not leaked, it's _shared_ between
this process and periodic `logrotate` process, which is a short-living process.


> On Feb. 21, 2019, 7:26 p.m., Gilbert Song wrote:
> > src/slave/container_loggers/logrotate.cpp
> > Lines 88 (patched)
> > <https://reviews.apache.org/r/70010/diff/2/?file=2125948#file2125948line92>
> >
> >     Does it hurt if we add CLOEXEC?

The semantics of using `memfd` in this case is to _share_ FD between processes. So, adding
CLOEXEC might confuse the reader as there is no necessity in the flag.


- Andrei


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70010/#review213032
-----------------------------------------------------------


On Feb. 19, 2019, 5:06 p.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70010/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2019, 5:06 p.m.)
> 
> 
> Review request for mesos, Gilbert Song, Greg Mann, and Joseph Wu.
> 
> 
> Bugs: MESOS-9564
>     https://issues.apache.org/jira/browse/MESOS-9564
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Previously, logrotation module stored the `logrotate` configuration
> file in container's sandbox directory, so that it was garbage collected
> together with the container's sandbox. If the container's task had
> permissions to modify this configuration file, it was possible to run
> any command under an unprivileged user. This patch stores `logrotate`
> config in an nonymous temporary file via `memfd`, so logrotation module
> can pass a path to procfs instead of container's sandbox. This approach
> solves the aforementioned security issue on Linux when
> `ENABLE_LAUNCHER_SEALING` configuration flag is specified.
> 
> 
> Diffs
> -----
> 
>   src/slave/container_loggers/logrotate.cpp b989de3e4cd3fdc1d8bdccfc83c22c99519eea7b

> 
> 
> Diff: https://reviews.apache.org/r/70010/diff/2/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message